On Tue, Nov 20, 2001 at 09:54:22AM -0600, Shawn wrote: > I'm going to be installing Debian stable (woody?) in the next couple > of days on my firewall/gateway machine. Dual NIC's, Pentium 120, 32MB > ram. Is there anything in particular I need to watch out for? Install the base system from the woody floppies. Woody is a minimum requirement if you want to run Linux 2.4. The reason for this is that the supporting system tools need to be upgraded from those present on potato. I.e. modutils, mount, etc. I usually go for the advanced installation option and bypass any task selection, since they will likely install software you don't want or need. Even then, I usually quit out of dselect or whatever front-end they use and get to the shell prompt. The tool to use is 'apt-get'. You probably won't have manpages installed from the base install, so you might want those. I would suggest the following: bsdutils psmisc (fuser, killall, pstree) lsof (list open files... good diagnostics) syslog-ng (nice replacement for sysklogd) logrotate (not for syslog-ng, but for other software) ssh (obvious reasons) net-tools (familiar -- if not old -- ifconfig, route, etc.) iptables iproute (ip tool -- replaces route, ifconfig, etc) manpages (optional) snort (optional) mrtg (optional) iptraf (GREAT tool) nmap (Excellent tool) mtr (a very nice tracerouting tool for the console or gui) traceroute dnsutils (for host(1), dig(1), and family) ntpdate (you likely don't need an ntp server running. ntpdate is a nice client you can set up through cron to periodically update the clock) openssh (used for ssl) oidentd (Give IRC servers fake identd responses, run from inetd) xinetd (replace netkit-inetd superserver) aide|tripwire (for diagnosing/detecting breakins) nano (very simple editor) vim (my favorite editor)* ash (a minimalistic POSIX shell, a bit more compliant than bash) cron (of course) at (I'm not sure. I remember this being a security risk...anyone?) ssmtp (very minimilistic SMTP client/sendmail nullclient replacement) exim (also small, default SMTP server for Debian) * ae(1) is installed by default and has multiple keybinding modes, including wordstar, joe, emacs, pico, and vi. Essentially, this is all you need. That's a pretty good start. Here's a tip for setting all of these up in a relatively simple and no-nonsense way. Use the following: bash# echo "echo install" | dpkg --set-selections bash# apt-get dselect-upgrade -u If you want to install a bunch of packages, so something like: bash# for i in package1 package2 package3 ; do echo "$i install" | \ bash> dpkg --set-selections; done bash# apt-get dselect-upgrade -u Or use a file: #----- BEGIN FILE (CUT HERE) ----- package1 install package2 install package3 install #------ END FILE (CUT HERE) ------ bash# dpkg --set-selections < installthesepackages bash# apt-get dselect-upgrade -u Once you have a running system, look at the manpages for interfaces(5), ifup(8), ifdown(8). The interfaces file is located in /etc/network/ and the run-parts directories (if-up.d, if-down.d, if-pre-up.d, if-post-down.d) may contain executable scripts you would like to run per event. One script I like to use is: #! /bin/sh # save my environment to a temp file set > /tmp/ifupdown-env.$$ # EOF You'll find some very useful environment variables from this. In particular: IFACE, IF_ADDRESS, IF_NETMASK, IF_NETWORK, IF_BROADCAST, IF_GATEWAY, and MODE. That allows fun scripts such as: #! /bin/sh -e # # Set up forwarding # source the config file [ -f /etc/network/my_config ] && source /etc/network/my_config EXTIF=${EXTIF:-eth0} # If the interface is the external one, continue, otherwise exit. [ "X${IFACE}X" == "X${EXTIF}X" ] || exit 0 # Set up forwarding case $MODE in start) iptables -t nat -A PREROUTING -j DNAT -i $EXTIF \ -m multiport -p tcp --dports ftp,ssh,http,https --to-address $MYSVR ;; stop) iptables -t nat -D PREROUTING -j DNAT -i $EXTIF \ -m multiport -p tcp --dports ftp,ssh,http,https --to-address $MYSVR ;; esac # EOF Alternately, you can specify these in your /etc/network/interfaces directly. # /etc/network/interfaces auto lo eth0 eth1 ... iface eth0 inet static address ... ... up iptables -t nat -A PREROUTING ... down iptables -t nat -D PREROUTING ... # EOF Good luck! -- Chad Walstrom <chewie at wookimus.net> | a.k.a. ^chewie http://www.wookimus.net/ | s.k.a. gunnarr Key fingerprint = B4AB D627 9CBD 687E 7A31 1950 0CC7 0B18 206C 5AFD -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011120/4e522014/attachment.pgp